概要
備忘録。
IPSec Site-to-Site で EdgeRouter-X(ER-X) と VyOS を接続し、
その上で gre-bridge で L2 Tunnel を作成します。
gre-bridge の理由
ER-X同士で MPLS を使いたい時に、どうしても VyOS を挟まないといけない場合の苦肉の策。
MPLS の設定で LDP を使うとき、マルチキャストで neighbor を探しに行きますが、
VyOS は MPLS に対応していないしマルチキャストルーティングもできないしで困った困った。
それじゃ L2 で通せばいいのでは?ということで gre-bridge を利用することに。
#ネットワーク図
構成図
論理図
設定手順
VyOS と ER-X に IPSec、 Bridge、Tunnel の設定を行います。
VyOS 設定
IPアドレス:br0 192.168.0.1/24
lo 10.255.0.1/32
Global IP XXX.XXX.XXX.XXX
VyOS設定
# IPSec 設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer 0.0.0.0 connection-type 'initiate'
set vpn ipsec site-to-site peer 0.0.0.0 ike-group 'IKE'
set vpn ipsec site-to-site peer 0.0.0.0 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 0.0.0.0 local-address 'any'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix '10.255.0.2/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 esp-group 'ESP'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 local prefix '10.255.0.1/32'
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 2 remote prefix '10.255.0.3/32'
# Bridge 設定
set interfaces bridge br0 address '192.168.0.1/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.1/32'
# Tunnel 設定
set interfaces tunnel tun1 encapsulation 'gre-bridge'
set interfaces tunnel tun1 local-ip '10.255.0.1'
set interfaces tunnel tun1 multicast 'enable'
set interfaces tunnel tun1 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun1 remote-ip '10.255.0.2'
set interfaces tunnel tun2 encapsulation 'gre-bridge'
set interfaces tunnel tun2 local-ip '10.255.0.1'
set interfaces tunnel tun2 multicast 'enable'
set interfaces tunnel tun2 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun2 remote-ip '10.255.0.3'
ER-X1 設定
前提:インターネットに接続可能であり、その設定がされていること。
インターネットと通信しているインターフェースは pppoe。
VyOS に対して疎通が取れること。
IPアドレス:br0 192.168.0.2/24
lo 10.255.0.2/32
ER-X1設定
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 local prefix 10.255.0.2/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 1 remote prefix 10.255.0.1/32
# Bridge 設定
set interfaces bridge br0 address '192.168.0.2/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.2/32'
# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.2'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'
ER-X2 設定
前提:インターネットに接続可能であり、その設定がされていること。
インターネットと通信しているインターフェースは pppoe。
VyOS に対して疎通が取れること。
IPアドレス:br0 192.168.0.3/24
lo 10.255.0.3/32
ER-X2設定
# IPSec の設定
set vpn ipsec esp-group ESP compression 'disable'
set vpn ipsec esp-group ESP lifetime '86400'
set vpn ipsec esp-group ESP mode 'tunnel'
set vpn ipsec esp-group ESP pfs 'dh-group2'
set vpn ipsec esp-group ESP proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP proposal 2 encryption 'aes256'
set vpn ipsec esp-group ESP proposal 2 hash 'sha1'
set vpn ipsec ike-group IKE ikev2-reauth 'no'
set vpn ipsec ike-group IKE key-exchange 'ikev1'
set vpn ipsec ike-group IKE lifetime '10800'
set vpn ipsec ike-group IKE proposal 1 dh-group '14'
set vpn ipsec ike-group IKE proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE proposal 2 dh-group '14'
set vpn ipsec ike-group IKE proposal 2 encryption 'aes256'
set vpn ipsec ike-group IKE proposal 2 hash 'sha1'
set vpn ipsec ipsec-interfaces interface pppoe
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal 'enable'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication mode pre-shared-secret
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX authentication pre-shared-secret 'IPSecPass!'
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX connection-type respond
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX default-esp-group ESP
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ike-group IKE
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX ikev2-reauth inherit
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX local-address default
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 local prefix 10.255.0.3/32
set vpn ipsec site-to-site peer XXX.XXX.XXX.XXX tunnel 0 remote prefix 10.255.0.1/32
# Bridge 設定
set interfaces bridge br0 address '192.168.0.3/24'
set interfaces bridge br0 aging '300'
set interfaces bridge br0 hello-time '2'
set interfaces bridge br0 max-age '20'
set interfaces bridge br0 priority '4096'
set interfaces bridge br0 stp 'false'
# Loopback 設定
set interfaces loopback lo address '10.255.0.3/32'
# Tunnel 設定
set interfaces tunnel tun0 encapsulation 'gre-bridge'
set interfaces tunnel tun0 local-ip '10.255.0.3'
set interfaces tunnel tun0 multicast 'enable'
set interfaces tunnel tun0 parameters ip bridge-group bridge 'br0'
set interfaces tunnel tun0 remote-ip '10.255.0.1'
確認
・ER-X1 で VyOS の br0 に traceroute を実行し、1ホップで到達する
・ER-X1 で ER-X2 の br0 に traceroute を実行し、1ホップで到達する
以上です。